CVE-2026-7813 Overview
CVE-2026-7813 is an authorization vulnerability in pgAdmin 4 server mode affecting the Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user can access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs. The Shared Servers feature also exposes credential leakage and privilege escalation paths. The flaw is classified under [CWE-284] Improper Access Control and affects pgAdmin 4 versions before 9.15.
Critical Impact
Authenticated users can read other users' private connection data, write to owner-only fields, and achieve arbitrary command execution in the owner's process context via writable passexec_cmd.
Affected Products
- pgAdmin 4 versions before 9.15 in server mode
- pgAdmin 4 Shared Servers feature
- pgAdmin 4 Background Processes and Debugger modules
Discovery Timeline
- 2026-05-11 - CVE-2026-7813 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-7813
Vulnerability Analysis
The vulnerability spans several pgAdmin 4 modules that handle user-owned objects in server mode. Endpoints in Server Groups, Servers, Shared Servers, Background Processes, and Debugger retrieved records by object ID without scoping the query to the requesting user. An authenticated attacker can enumerate or guess identifiers to read connection metadata, server group definitions, background process state, and debugger function arguments owned by other users.
The Shared Servers feature compounds the issue. Several owner-only fields, including passexec_cmd, passexec_expiration, db_res, and db_res_type, are writable by non-owners through the API. Additional fields such as kerberos_conn, tags, and post_connection_sql lack per-user persistence, so edits by non-owners mutate the owner's record directly via SQLAlchemy session changes.
Root Cause
The root cause is missing per-user access control on user-owned models and API responses. Queries did not filter by the authenticated user, and merge, API response, and ServerManager paths did not suppress owner-only fields when returning shared server data to non-owners. There was no explicit owner-only write guard.
Attack Vector
An authenticated low-privileged user can issue API requests targeting object IDs belonging to other users. The Shared Servers feature exposes passexec_cmd, a shell command executed when establishing a connection. A non-owner who writes a malicious value to passexec_cmd achieves arbitrary command execution in the owner's process context when the owner next connects. The Shared Servers responses also leak credentials via passexec_cmd, passfile, and SSL key references.
No verified public exploit code is available. See pgAdmin Pull Request #9830 and pgAdmin Pull Request #9835 for the remediation details.
Detection Methods for CVE-2026-7813
Indicators of Compromise
- API requests from authenticated users that iterate sequential or unexpected object IDs against /server_groups, /servers, /shared_servers, background process, or debugger endpoints.
- Modifications to Shared Server fields passexec_cmd, passexec_expiration, db_res, db_res_type, kerberos_conn, tags, or post_connection_sql performed by a user that is not the server owner.
- Unexpected child processes spawned by the pgAdmin worker handling a shared server connection.
Detection Strategies
- Audit pgAdmin application logs for cross-user object access patterns and 200-class responses to IDs the requesting user does not own.
- Correlate Shared Server write operations with the authenticated user and the owner of the target record to identify owner mismatches.
- Monitor process trees on pgAdmin hosts for shell or interpreter invocations originating from the pgAdmin service account.
Monitoring Recommendations
- Enable verbose authentication and API access logging on pgAdmin 4 in server mode.
- Forward pgAdmin logs and host process telemetry to a centralized analytics platform for cross-user correlation.
- Alert on any modification to Shared Server records by accounts other than the registered owner.
How to Mitigate CVE-2026-7813
Immediate Actions Required
- Upgrade pgAdmin 4 to version 9.15 or later, which introduces the server_access module and UserScopedMixin.
- Audit existing Shared Server records for unauthorized modifications to passexec_cmd, passfile, SSL key paths, and post_connection_sql.
- Rotate any credentials and SSL keys referenced by Shared Server entries that may have been exposed.
Patch Information
The remediation is delivered in two pull requests against the pgAdmin 4 project. The fix centralises access control via a new server_access module, scopes all user-owned models with a UserScopedMixin, returns HTTP 410 from connection_manager when access is denied in server mode, suppresses owner-only fields for non-owners across the merge, API response, and ServerManager paths, and adds an explicit owner-only write guard. Review pgAdmin Pull Request #9830 and pgAdmin Pull Request #9835 for the applied changes.
Workarounds
- Restrict pgAdmin 4 server mode access to trusted users only until upgrading to 9.15.
- Disable or remove use of the Shared Servers feature where feasible.
- Avoid populating passexec_cmd on shared servers and remove sensitive credentials from passfile references until patched.
# Verify the installed pgAdmin 4 version
pip show pgadmin4 | grep -i version
# Upgrade pgAdmin 4 to a fixed release
pip install --upgrade "pgadmin4>=9.15"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
